Detect invalid Base64 encoding in signature (#162)

firebase · Jun 21, 2017 · d67523f · d67523f
1 parent b2a5316
commit d67523f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/src/JWT.php b/src/JWT.php
@@ -87,8 +87,9 @@ public static function decode($jwt, $key, $allowed_algs = array())
         if (null === $payload = static::jsonDecode(static::urlsafeB64Decode($bodyb64))) {
             throw new UnexpectedValueException('Invalid claims encoding');
         }
-        $sig = static::urlsafeB64Decode($cryptob64);
-
+        if (false === ($sig = static::urlsafeB64Decode($cryptob64))) {
+            throw new UnexpectedValueException('Invalid signature encoding');
+        }
         if (empty($header->alg)) {
             throw new UnexpectedValueException('Empty algorithm');
         }

diff --git a/tests/JWTTest.php b/tests/JWTTest.php
@@ -267,6 +267,13 @@ public function testInvalidSegmentCount()
         JWT::decode('brokenheader.brokenbody', 'my_key', array('HS256'));
     }
 
+    public function testInvalidSignatureEncoding()
+    {
+        $msg = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6MSwibmFtZSI6ImZvbyJ9.Q4Kee9E8o0Xfo4ADXvYA8t7dN_X_bU9K5w6tXuiSjlUxx";
+        $this->setExpectedException('UnexpectedValueException');
+        JWT::decode($msg, 'secret', array('HS256'));
+    }
+
     public function testVerifyError()
     {
         $this->setExpectedException('DomainException');